Всем привет!
Есть такая конфигурация: есть комп с freebsd 6.1 на ней два интерфейса один wifi в режиме точки доступа смотрит внутрь 192.168.1.1, другая сетевуха смотрит в сеть провайдера адрес по дцхп получает(192.168.201.x) к инету коннект через pptp vpn, также поднят нат чтоб с буком (192.168.1.11)по квартире ходить, теперь необходимо защитить wifi с помощью ipsec делал как в мануале тимоти хана ничего не получилось
Вот конфиги:
rc.confgateway_enable="YES"
inetd_enable="YES"
keymap="ru.koi8-r"
linux_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
#ipsec_enable="YES"
#ipsec_file="/etc/ipsec.conf"
ifconfig_fxp0="DHCP"
hostname=",бла бла бла"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="tun0"
natd_flags="-dynamic"
правила при загрузке отключены я загружаю командой setkey -f /etc/ipsec.conf
ipsec.conf
flush;
spdflush;
spdadd 192.168.1.11 0.0.0.0/0 any -P in ipsec
esp/tunnel/192.168.1.11-192.168.1.1/require;
spdadd 0.0.0.0/0 192.168.1.11 any -P out ipsec
esp/tunnel/192.168.1.1-192.168.1.11/require;
racoon.conf
# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
# "path" affects "include" directives. "path" must be specified before any
# "include" directive with relative file path.
# you can overwrite "path" directive afterwards, however, doing so may add
# more confusion.
path include "/usr/local/etc/racoon";
#include "remote.conf";
# the file should contain key ID/key pairs, for pre-shared key authentication.
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
#path certificate "@sysconfdir_x@/cert";
# "log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
#log debug;
# "padding" defines some padding parameters. You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen on all
# available interface addresses.
listen
{
#isakmp ::1 [7000];
isakmp 192.168.1.1 [500];
#admin [7002]; # administrative port for racoonctl.
#strict_address; # requires that all addresses must be bound.
}
# Specify various default timers.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per send.
# maximum time to wait for completing each phase.
phase1 30 sec;
phase2 15 sec;
}
remote 192.168.1.11 [500]
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
lifetime time 3600 sec;
nonce_size 16;
initial_contact on;
proposal_check obey; # obey, strict, or claim
proposal {
lifetime time 3600 sec;
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
lifetime time 3600 sec;
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
psk.txt
# IPv4/v6 addresses
192.168.1.11 sekretkeyfrase
доступ у файла 600
Политики ipsec для винды в точности как в выше указаной статье!
ракун выводит слудующее
ERROR: unknown informational exchange received.
INFO: respond new phase 1 negotiation :192.168.1.1[500]<=>192.168.1.11[500]
INFO: begin identity protection mode
INFO: received broken microsoft ID: MS NT5 ISAKMPOAKLEY
INFO: received vendor ID: FRAGMENTATION
INFO: received vendor ID: draft-ietf-ipsec-nat-t-ike-02
ERROR: phrase1 negotiation failed due to time up
Если есть знающие люди подскажите что не так, может я какой то пакет не установил?????????
